The recent breach of student information at a local high school showed improper response and failure to follow basic guidelines, but represents an opportunity for schools across the region to improve student protection and demonstrate due care.

February 8, 2013 /PR/ Last week’s breach of privacy impacted approximately a thousand students and their families, with personal information including phone numbers, personal emails and sensitive Ontario education numbers sent in an attachment to newsletter recipients. This brought about the very real risk of identity theft and more breaches of privacy for students and their families.

According to the Education Act, this information is an integral part of the Ontario Student Record (OSR), a confidential file that represents the student’s educational progress through the school system in the province. According to the Information and Privacy Commissioner of Ontario (IPC), boards of Education are required by law to preserve the confidentiality of this sensitive information. The IPC’s “Guide to Ontario Legislation Covering the Release of Students’ Personal Information” authored by Commissioner Ann Cavoukian, indicates that parents or students 18 or over can request that personal records be removed or destroyed from the OSR under certain conditions.

Concerned and angry parents have taken steps to contact the Board of Education and local media to express their disappointment. “Parents have a right to be angry. The School Board has publicly disseminated enough personal information for anyone to impersonate their child, and potentially gain access to their entire Ontario Student Record” said Claudiu Popa, a security expert recognized by the Office of the Privacy Commissioner as a Privacy by Design Ambassador.

Although the school’s response has been that they are taking the matter “very, very seriously”, the board’s reaction has been disappointing, with the assistant manager of public affairs, Christina Choo-Hum, simply stating that breaches do happen in every organization.

Claudiu Popa, who offers privacy education for teachers, parents and students at no charge as part of a community initiative called KnowledgeFlow, said: “The legislative landscape may appear complex, with the Board having to comply with MFIPPA, the Education Act and even PHIPA laws, but one fact is absolutely crystal clear. The personal information of students is the single most valuable and sensitive data in their custody. The Board doesn’t own this information, but they are required to protect it at all costs. Unfortunately the response from the York Region District School Board has shown a lack of understanding and accountability, which indicates not only that this has happened before but that it may very well happen again.”

Popa, a certified privacy professional and author of multiple books on information protection says that 3 simple steps would have prevented the breach. Schools that have not yet identified such lapses in compliance and protection have a real opportunity to show leadership and due care with the following best practices:

- assign a privacy officer in each school and invest in their professional training- ensure that OSR data is properly classified, clearly identified and tracked- use encryption to ensure that confidentiality is preserved“Any one of these best practices would have prevented this breach and it is clearly unacceptable to still hear about serious incidents like this at a time where the public is so sensitized to abuse of child information, cyberbullying, online fraud and other types of crime. I don’t mean to plug our free training, but this is basic stuff that I even teach kids who come to my community seminars”.

“Not being able to trust a car rental firm or a social media company with our children’s information is one thing, but for the Board of Education to compromise its good name and reputation by simply downplaying a serious breach does come with a certain degree of arrogance.” Popa added that enforced policies and employee training should be mandatory and frequent to ensure that incident reporting, breach notification and data classification are consistently respected by all employees and contractors of every school and every board of education across Ontario.

To register students, parents or teachers for KnowledgeFlow Cybersafety Education programs (at no charge) contact Catherine Sword at the Whitchurch-Stouffville Public Library at 905-642-READ or email Register@KnowledgeFlow.ca.

An excellent perspective on the privacy risk in the educational sector. The fact that this is information about children makes it all the more sensitive. The public can be forgiving with respect to the fact that these incidents do happen, but they are not forgiving with how an organization handles it. Downplaying the significance of this was the worst thing they could have done. They should have said it was serious and presented a clear plan as to how they were going to deal with it, and prevent it from happening again. That is what people want to know and allow them to be more forgiving.

Informatica reserves all rights to its proprietary content. FlexProtect, FlexSecure and WorkLife are tradenames and service marks of Informatica Corporation.
All Informatica activities and initiatives are subject to our Privacy Policy and bound by our Code of Professional Ethics.